|
|
|
|
@ -1063,6 +1063,23 @@ static void *stbi__malloc_mad4(int a, int b, int c, int d, int add) |
|
|
|
|
} |
|
|
|
|
#endif |
|
|
|
|
|
|
|
|
|
// returns 1 if the sum of two signed ints is valid (between -2^31 and 2^31-1 inclusive), 0 on overflow.
|
|
|
|
|
static int stbi__addints_valid(int a, int b) |
|
|
|
|
{ |
|
|
|
|
if ((a >= 0) != (b >= 0)) return 1; // a and b have different signs, so no overflow
|
|
|
|
|
if (a < 0 && b < 0) return a >= INT_MIN - b; // same as a + b >= INT_MIN; INT_MIN - b cannot overflow since b < 0.
|
|
|
|
|
return a <= INT_MAX - b; |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
// returns 1 if the product of two signed shorts is valid, 0 on overflow.
|
|
|
|
|
static int stbi__mul2shorts_valid(short a, short b) |
|
|
|
|
{ |
|
|
|
|
if (b == 0 || b == -1) return 1; // multiplication by 0 is always 0; check for -1 so SHRT_MIN/b doesn't overflow
|
|
|
|
|
if ((a >= 0) == (b >= 0)) return a <= SHRT_MAX/b; // product is positive, so similar to mul2sizes_valid
|
|
|
|
|
if (b < 0) return a <= SHRT_MIN / b; // same as a * b >= SHRT_MIN
|
|
|
|
|
return a >= SHRT_MIN / b; |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
// stbi__err - error
|
|
|
|
|
// stbi__errpf - error returning pointer to float
|
|
|
|
|
// stbi__errpuc - error returning pointer to unsigned char
|
|
|
|
|
@ -1985,9 +2002,12 @@ static int stbi__build_huffman(stbi__huffman *h, int *count) |
|
|
|
|
int i,j,k=0; |
|
|
|
|
unsigned int code; |
|
|
|
|
// build size list for each symbol (from JPEG spec)
|
|
|
|
|
for (i=0; i < 16; ++i) |
|
|
|
|
for (j=0; j < count[i]; ++j) |
|
|
|
|
for (i=0; i < 16; ++i) { |
|
|
|
|
for (j=0; j < count[i]; ++j) { |
|
|
|
|
h->size[k++] = (stbi_uc) (i+1); |
|
|
|
|
if(k >= 257) return stbi__err("bad size list","Corrupt JPEG"); |
|
|
|
|
} |
|
|
|
|
} |
|
|
|
|
h->size[k] = 0; |
|
|
|
|
|
|
|
|
|
// compute actual symbols (from jpeg spec)
|
|
|
|
|
@ -2112,6 +2132,8 @@ stbi_inline static int stbi__jpeg_huff_decode(stbi__jpeg *j, stbi__huffman *h) |
|
|
|
|
|
|
|
|
|
// convert the huffman code to the symbol id
|
|
|
|
|
c = ((j->code_buffer >> (32 - k)) & stbi__bmask[k]) + h->delta[k]; |
|
|
|
|
if(c < 0 || c >= 256) // symbol id out of bounds!
|
|
|
|
|
return -1; |
|
|
|
|
STBI_ASSERT((((j->code_buffer) >> (32 - h->size[c])) & stbi__bmask[h->size[c]]) == h->code[c]); |
|
|
|
|
|
|
|
|
|
// convert the id to a symbol
|
|
|
|
|
@ -2130,6 +2152,7 @@ stbi_inline static int stbi__extend_receive(stbi__jpeg *j, int n) |
|
|
|
|
unsigned int k; |
|
|
|
|
int sgn; |
|
|
|
|
if (j->code_bits < n) stbi__grow_buffer_unsafe(j); |
|
|
|
|
if (j->code_bits < n) return 0; // ran out of bits from stream, return 0s intead of continuing
|
|
|
|
|
|
|
|
|
|
sgn = j->code_buffer >> 31; // sign bit always in MSB; 0 if MSB clear (positive), 1 if MSB set (negative)
|
|
|
|
|
k = stbi_lrot(j->code_buffer, n); |
|
|
|
|
@ -2144,6 +2167,7 @@ stbi_inline static int stbi__jpeg_get_bits(stbi__jpeg *j, int n) |
|
|
|
|
{ |
|
|
|
|
unsigned int k; |
|
|
|
|
if (j->code_bits < n) stbi__grow_buffer_unsafe(j); |
|
|
|
|
if (j->code_bits < n) return 0; // ran out of bits from stream, return 0s intead of continuing
|
|
|
|
|
k = stbi_lrot(j->code_buffer, n); |
|
|
|
|
j->code_buffer = k & ~stbi__bmask[n]; |
|
|
|
|
k &= stbi__bmask[n]; |
|
|
|
|
@ -2155,6 +2179,7 @@ stbi_inline static int stbi__jpeg_get_bit(stbi__jpeg *j) |
|
|
|
|
{ |
|
|
|
|
unsigned int k; |
|
|
|
|
if (j->code_bits < 1) stbi__grow_buffer_unsafe(j); |
|
|
|
|
if (j->code_bits < 1) return 0; // ran out of bits from stream, return 0s intead of continuing
|
|
|
|
|
k = j->code_buffer; |
|
|
|
|
j->code_buffer <<= 1; |
|
|
|
|
--j->code_bits; |
|
|
|
|
@ -2192,8 +2217,10 @@ static int stbi__jpeg_decode_block(stbi__jpeg *j, short data[64], stbi__huffman |
|
|
|
|
memset(data,0,64*sizeof(data[0])); |
|
|
|
|
|
|
|
|
|
diff = t ? stbi__extend_receive(j, t) : 0; |
|
|
|
|
if (!stbi__addints_valid(j->img_comp[b].dc_pred, diff)) return stbi__err("bad delta","Corrupt JPEG"); |
|
|
|
|
dc = j->img_comp[b].dc_pred + diff; |
|
|
|
|
j->img_comp[b].dc_pred = dc; |
|
|
|
|
if (!stbi__mul2shorts_valid(dc, dequant[0])) return stbi__err("can't merge dc and ac", "Corrupt JPEG"); |
|
|
|
|
data[0] = (short) (dc * dequant[0]); |
|
|
|
|
|
|
|
|
|
// decode AC components, see JPEG spec
|
|
|
|
|
@ -2207,6 +2234,7 @@ static int stbi__jpeg_decode_block(stbi__jpeg *j, short data[64], stbi__huffman |
|
|
|
|
if (r) { // fast-AC path
|
|
|
|
|
k += (r >> 4) & 15; // run
|
|
|
|
|
s = r & 15; // combined length
|
|
|
|
|
if (s > j->code_bits) return stbi__err("bad huffman code", "Combined length longer than code bits available"); |
|
|
|
|
j->code_buffer <<= s; |
|
|
|
|
j->code_bits -= s; |
|
|
|
|
// decode into unzigzag'd location
|
|
|
|
|
@ -2246,8 +2274,10 @@ static int stbi__jpeg_decode_block_prog_dc(stbi__jpeg *j, short data[64], stbi__ |
|
|
|
|
if (t < 0 || t > 15) return stbi__err("can't merge dc and ac", "Corrupt JPEG"); |
|
|
|
|
diff = t ? stbi__extend_receive(j, t) : 0; |
|
|
|
|
|
|
|
|
|
if (!stbi__addints_valid(j->img_comp[b].dc_pred, diff)) return stbi__err("bad delta", "Corrupt JPEG"); |
|
|
|
|
dc = j->img_comp[b].dc_pred + diff; |
|
|
|
|
j->img_comp[b].dc_pred = dc; |
|
|
|
|
if (!stbi__mul2shorts_valid(dc, 1 << j->succ_low)) return stbi__err("can't merge dc and ac", "Corrupt JPEG"); |
|
|
|
|
data[0] = (short) (dc * (1 << j->succ_low)); |
|
|
|
|
} else { |
|
|
|
|
// refinement scan for DC coefficient
|
|
|
|
|
@ -2282,6 +2312,7 @@ static int stbi__jpeg_decode_block_prog_ac(stbi__jpeg *j, short data[64], stbi__ |
|
|
|
|
if (r) { // fast-AC path
|
|
|
|
|
k += (r >> 4) & 15; // run
|
|
|
|
|
s = r & 15; // combined length
|
|
|
|
|
if (s > j->code_bits) return stbi__err("bad huffman code", "Combined length longer than code bits available"); |
|
|
|
|
j->code_buffer <<= s; |
|
|
|
|
j->code_bits -= s; |
|
|
|
|
zig = stbi__jpeg_dezigzag[k++]; |
|
|
|
|
@ -3102,6 +3133,7 @@ static int stbi__process_marker(stbi__jpeg *z, int m) |
|
|
|
|
sizes[i] = stbi__get8(z->s); |
|
|
|
|
n += sizes[i]; |
|
|
|
|
} |
|
|
|
|
if(n > 256) return stbi__err("bad DHT header","Corrupt JPEG"); // Loop over i < n would write past end of values!
|
|
|
|
|
L -= 17; |
|
|
|
|
if (tc == 0) { |
|
|
|
|
if (!stbi__build_huffman(z->huff_dc+th, sizes)) return 0; |
|
|
|
|
@ -3976,6 +4008,7 @@ static void *stbi__jpeg_load(stbi__context *s, int *x, int *y, int *comp, int re |
|
|
|
|
unsigned char* result; |
|
|
|
|
stbi__jpeg* j = (stbi__jpeg*) stbi__malloc(sizeof(stbi__jpeg)); |
|
|
|
|
if (!j) return stbi__errpuc("outofmem", "Out of memory"); |
|
|
|
|
memset(j, 0, sizeof(stbi__jpeg)); |
|
|
|
|
STBI_NOTUSED(ri); |
|
|
|
|
j->s = s; |
|
|
|
|
stbi__setup_jpeg(j); |
|
|
|
|
@ -3989,6 +4022,7 @@ static int stbi__jpeg_test(stbi__context *s) |
|
|
|
|
int r; |
|
|
|
|
stbi__jpeg* j = (stbi__jpeg*)stbi__malloc(sizeof(stbi__jpeg)); |
|
|
|
|
if (!j) return stbi__err("outofmem", "Out of memory"); |
|
|
|
|
memset(j, 0, sizeof(stbi__jpeg)); |
|
|
|
|
j->s = s; |
|
|
|
|
stbi__setup_jpeg(j); |
|
|
|
|
r = stbi__decode_jpeg_header(j, STBI__SCAN_type); |
|
|
|
|
@ -4014,6 +4048,7 @@ static int stbi__jpeg_info(stbi__context *s, int *x, int *y, int *comp) |
|
|
|
|
int result; |
|
|
|
|
stbi__jpeg* j = (stbi__jpeg*) (stbi__malloc(sizeof(stbi__jpeg))); |
|
|
|
|
if (!j) return stbi__err("outofmem", "Out of memory"); |
|
|
|
|
memset(j, 0, sizeof(stbi__jpeg)); |
|
|
|
|
j->s = s; |
|
|
|
|
result = stbi__jpeg_info_raw(j, x, y, comp); |
|
|
|
|
STBI_FREE(j); |
|
|
|
|
@ -5117,6 +5152,7 @@ static int stbi__parse_png_file(stbi__png *z, int scan, int req_comp) |
|
|
|
|
if (first) return stbi__err("first not IHDR", "Corrupt PNG"); |
|
|
|
|
if (pal_img_n && !pal_len) return stbi__err("no PLTE","Corrupt PNG"); |
|
|
|
|
if (scan == STBI__SCAN_header) { s->img_n = pal_img_n; return 1; } |
|
|
|
|
if (c.length > (1u << 30)) return stbi__err("IDAT size limit", "IDAT section larger than 2^30 bytes"); |
|
|
|
|
if ((int)(ioff + c.length) < (int)ioff) return 0; |
|
|
|
|
if (ioff + c.length > idata_limit) { |
|
|
|
|
stbi__uint32 idata_limit_old = idata_limit; |
|
|
|
|
@ -7494,6 +7530,8 @@ static int stbi__pnm_getinteger(stbi__context *s, char *c) |
|
|
|
|
while (!stbi__at_eof(s) && stbi__pnm_isdigit(*c)) { |
|
|
|
|
value = value*10 + (*c - '0'); |
|
|
|
|
*c = (char) stbi__get8(s); |
|
|
|
|
if((value > 214748364) || (value == 214748364 && *c > '7')) |
|
|
|
|
return stbi__err("integer parse overflow", "Parsing an integer in the PPM header overflowed a 32-bit int"); |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
return value; |
|
|
|
|
@ -7524,9 +7562,13 @@ static int stbi__pnm_info(stbi__context *s, int *x, int *y, int *comp) |
|
|
|
|
stbi__pnm_skip_whitespace(s, &c); |
|
|
|
|
|
|
|
|
|
*x = stbi__pnm_getinteger(s, &c); // read width
|
|
|
|
|
if(*x == 0) |
|
|
|
|
return stbi__err("invalid width", "PPM image header had zero or overflowing width"); |
|
|
|
|
stbi__pnm_skip_whitespace(s, &c); |
|
|
|
|
|
|
|
|
|
*y = stbi__pnm_getinteger(s, &c); // read height
|
|
|
|
|
if (*y == 0) |
|
|
|
|
return stbi__err("invalid width", "PPM image header had zero or overflowing width"); |
|
|
|
|
stbi__pnm_skip_whitespace(s, &c); |
|
|
|
|
|
|
|
|
|
maxv = stbi__pnm_getinteger(s, &c); // read max value
|
|
|
|
|
|
Fabian Giesen
ago%!(EXTRA string=2 years)